Stored Cross-Site Scripting in Smash Balloon Photo Feed Plugin for WordPress
CVE-2025-4583
5.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 29 May 2025
What is CVE-2025-4583?
The Smash Balloon Social Photo Feed plugin for WordPress is vulnerable to a Stored Cross-Site Scripting issue due to inadequate input validation and output escaping in the data-plugin
attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to embed malicious scripts within pages. When users access those pages, the scripts will execute in their browsers, potentially compromising user data and site integrity.
Affected Version(s)
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin * <= 6.9.0